مرکز مدیریت امداد و هماهنگی عملیات رخدادهای رایانه‌ای

ورود به حساب کاربری

‫ Third of Internet Explorer users at risk from attacks

ID: IRCNE2014022101

Date: 2014-02-15

According to “ComputerWorld”, Microsoft on Friday said that both Internet Explorer 10 and its predecessor, IE9, contained an unpatched vulnerability, but that hackers were currently exploiting only the newest, IE10.

The extension of the vulnerability to IE9 followed confirmation earlier yesterday that active attacks are compromising the newer IE10 and hijacking PCs running the browser.

With both IE9 and IE10 vulnerable, it means that about a third of all those using Internet Explorer are at risk.

According to Web analytics vendor Net Applications, IE9 accounted for 15.3% of the total IE user share last month; IE10's share was 15.9%. Together, the two editions represented 31.2% of Internet Explorer's January user share.

Milpitas, Calif.-based FireEye was the first to spot the attacks, and said that they had been aimed at IE10 as part of a campaign targeting current and former U.S. military personnel when they visited the Veterans of Foreign Wars (VFW) website.

While FireEye said it identified the "zero-day" vulnerability -- a term to indicate that the flaw is currently unpatched -- on Feb. 11, yesterday San Diego security company Websense said it had found evidence that the exploit may have been used as early as Jan. 20, or more than three weeks ago.

Microsoft's advice to customers that they upgrade to IE11 was not possible for those still running Windows Vista. That 2007 operating system cannot run either IE10 or IE11. Most Vista users are likely running IE9, since Microsoft automatically upgraded their copies of from IE7 or IE8 to the then-new IE9 in the first half of 2012.

The only silver lining is that few Windows users run Vista: Last month, the oft-disparaged OS represented just 3.6% of all editions of Windows.

Microsoft has not said if it will issue an "out-of-band" security update -- a rush fix shipped before the next regularly-scheduled Patch Tuesday of March 11 -- or yet issued a formal security advisory. It will certainly do the latter, and at that time may, as it often does, provide a work-around to protect IE9 and IE10 users.